Amazon RDS Security Groups

Security groups control the access that traffic has in and out of a DB instance. Three
types of security groups are used with Amazon RDS: DB security groups, VPC security
groups,
and Amazon EC2 security groups. In simple terms, these work as follows:

A DB security group controls access to EC2-Classic DB instances that are not in a
VPC.

A VPC security group controls access to
DB instances and EC2 instances inside a VPC.

An EC2 security group controls access to an
EC2 instance.

By default, network access is turned off to a DB instance. You can specify rules
in a security group that allows access from an IP address range, port, or EC2 security
group.
Once ingress rules are configured, the
same rules apply to all DB instances that are associated with that security
group. You can specify up to 20 rules in a security group.

DB Security Groups

DB security groups are used with DB instances that are not in a VPC and on the
EC2-Classic platform. Each DB security group rule enables a specific source to
access a DB instance that is associated with that DB security group. The source can
be a range of addresses (for example, 203.0.113.0/24), or an EC2 security group.
When you specify an EC2 security group as the source, you allow incoming traffic
from all EC2 instances that use that EC2 security group. DB security group rules
apply to inbound traffic only; outbound traffic is not currently permitted for DB
instances.

You don't need to specify a destination port number when you create DB
security group rules. The port number defined for the DB instance is used as the
destination port number for all rules defined for the DB security group. DB security
groups can be created using the Amazon RDS API actions or the Amazon RDS page of the
AWS Management Console.

VPC Security Groups

Each VPC security group rule enables a specific source to access a DB instance in
a VPC that is associated with that VPC security group. The source can be a range of
addresses (for example, 203.0.113.0/24), or another VPC security group. By
specifying a VPC security group as the source, you allow incoming traffic from all
instances (typically application servers) that use the source VPC security group.
VPC security groups can have rules that govern both inbound and outbound traffic,
though the outbound traffic rules typically do not apply to DB instances. Outbound
traffic rules only apply if the DB instance acts as a client. For example, outbound
traffic rules apply to an Oracle DB instance with outbound database links. You must
use the
Amazon EC2 API or the
Security Group option on the VPC Console to create VPC
security groups.

When you create rules for your VPC security group that allow access to the
instances in your VPC, you must specify a port for each range of addresses that the
rule allows access for. For example, if you want to enable SSH access to instances
in the VPC, then you create a rule allowing access to TCP port 22 for the
specified range of addresses.

You can configure multiple VPC security groups that allow access to different
ports for different instances in your VPC. For example, you can create a VPC
security group that allows access to TCP port 80 for web servers in your VPC. You
can then create another VPC security group that allows access to TCP port 3306 for
RDS MySQL DB instances in your VPC.

For more information on VPC security groups, see Security Groups in the Amazon Virtual Private Cloud User Guide.

DB Security Groups vs. VPC Security
Groups

The following table shows the key differences between DB security groups and VPC security
groups.

DB Security Group

VPC Security Group

Controls access to DB instances outside a VPC.

Controls access to DB instances in VPC.

Uses Amazon RDS API actions or the Amazon RDS page of the AWS Management Console to
create and manage group and rules.

Uses Amazon EC2 API actions or the Amazon VPC page of the AWS Management Console to
create and manage group and rules.

When you add a rule to a group, you don't need to specify
port number or protocol.

When you add a rule to a group, specify the protocol as TCP. In
addition, specify the same port number that you used to create the
DB instances (or options) that you plan to add as members to the
group.

Security Group Scenario

A common use of an RDS instance in a VPC is to share data with an application
server running in an Amazon EC2 instance in the same VPC, which is accessed by a client
application outside the VPC. For this scenario, you use the RDS and VPC pages on the
AWS Management Console or the RDS and EC2 API actions to create the necessary instances
and
security groups:

Create a VPC security group (for example, sg-appsrv1) and define inbound rules
that use the IP addresses of the client application as the source. This
security group allows your client application to connect to EC2 instances in
a VPC that uses this security group.

Create an EC2 instance for the application and add the EC2 instance to the VPC security
group
(sg-appsrv1) that you created in the previous step. The EC2
instance in the VPC shares the VPC security group with the DB
instance.

Create a second VPC security group (for example, sg-dbsrv1) and create a new rule
by specifying the VPC security group that you created in step 1
(sg-appsrv1) as the source.

Create a new DB instance and add the DB instance to the VPC security group
(sg-dbsrv1) that you created in the previous step. When you
create the instance, use the same port number as the one specified for the
VPC security group (sg-dbsrv1) rule that you created in step
3.

Deleting DB VPC Security
Groups

DB VPC security groups are an RDS mechanism to synchronize security information
with a VPC security group. However, this synchronization is no longer required,
because RDS has been updated to use VPC security group information directly.

Note

DB VPC security groups are deprecated, and they are different from DB security
groups, VPC security groups, and EC2 security groups.

We strongly recommend that you delete any DB VPC security groups that you
currently use. If you don't delete your DB VPC security groups, you might
encounter unintended behaviors with your RDS DB instances, which can be as severe
as
losing access to a DB instance. The unintended behaviors are a result of an action
such as an update to a DB instance, an option group, or similar. Such updates cause
RDS to resynchronize the DB VPC security group with the VPC security group. This
resynchronization can result in your security information being overwritten with
incorrect and outdated security information. This result can have a severe impact
on
your access to your RDS DB instances.

How Can I Determine If I Have a DB VPC Security Group?

Because DB VPC security groups have been deprecated, they don't appear in
the RDS console. However, you can call the describe-db-security-groups AWS CLI command or the DescribeDBSecurityGroups API action to determine if you have any
DB VPC security groups.

In this case, you can call the describe-db-security-groups AWS CLI
command with JSON specified as the output format. If you do, you can identify DB
VPC security groups by the VPC identifier on the second line of the output for
the security group as shown in the following example.

How Do I Delete a DB VPC Security Group?

After you delete a DB VPC security group, your DB instances in your VPC
continue to be secured by the VPC security group for that VPC. The DB VPC
security group that was deleted was merely a copy of the VPC security group
information.

Review Your AWS CloudFormation Templates

Older versions of AWS CloudFormation templates can contain instructions to create
a DB VPC
security group. Because DB VPC security groups are not yet fully deprecated,
they can still be created. Make sure that any AWS CloudFormation templates that you
use to
provision a DB instance with security settings don't also create a DB VPC
security group. Don't use AWS CloudFormation templates that create an RDS
DBSecurityGroup with an EC2VpcId as shown in the
following example.